07 Jun 2021 | 20:18 UTC

DOJ recovers majority of Bitcoin ransom from Colonial Pipeline hack

Highlights

Ransom seized from digital Bitcoin wallet

First investigation from new task force

Mandates considered for oil and gas sector

The US Department of Justice said June 7 it seized the majority of the nearly $4.5 million Bitcoin ransom paid to the DarkSide criminal hacker group for its attack that ultimately took the Colonial Pipeline fuel network down for nearly a week in May.

The seizure represents the first successful investigation taken by the Justice Department's new Ransomware and Digital Extortion Task Force that tracked down a cryptocurrency Bitcoin wallet used in coordination with the ransomware attack, said US Deputy Attorney General Lisa Monaco in a press conference.

The most devastating cyberattack on a US pipeline stopped the nation's primary artery for gasoline and refined products from delivering more than 100 million gal/d of fuels for nearly a week, triggering pricing spikes, panic-buying and regional shortages. Colonial stretches more than 5,500 miles from the Houston refining hub to New York Harbor, supplying about 45% of all the gasoline and diesel fuel consumed on the East Coast.

Not only did the attack disrupt arguably the nation's most important fuel conduit, the incident also highlighted the particular vulnerability of the US' network of energy pipelines to cyberattacks.

"Ransomware attacks have increased in both scope and sophistication in the last year," Monaco said, "holding businesses and even whole cities hostage for profit."

However, "The old adage, 'follow the money,' still applies and that's exactly what we do," she said. "Today, we turned the tables on DarkSide."

While Colonial Pipeline quickly paid the nearly $4.5 million ransom to the criminal group on May 7, Monaco and other law enforcement credited the pipeline company with quickly notifying and working in concert with federal officials to get the pipeline restarted and to then track down the ransom, although close to $2 million of the total payment remains unaccounted for.

The Russia-based DarkSide has victimized more than 90 US businesses or entities, according to the FBI, although the White House has said there was no evidence linking the group to the Russian government. DarkSide operates as a "Ransomware as a Service" organization, called RaaS, essentially leasing out its software to third parties for profit. The rapidly rising RaaS business model is considered arguably the biggest cybersecurity threat to businesses and governments.

"Pay attention now, invest resources now," Monaco warned, calling ransomware attacks an increasing epidemic. "We are all in this together."

Federal reporting mandates

In the meantime, the US Department of Homeland Security has taken some initial steps to tighten the relatively lax cybersecurity standards within the oil and gas pipeline sector.

The pipeline sector currently only has voluntary cybersecurity guidelines set by Homeland Security's Transportation Security Administration -- an agency primarily focused on the airline sector -- and not mandatory standards such as those required of the electricity sector through the North American Electric Reliability Corp.

On May 27, DHS announced that oil and gas pipeline operators must report all cyberattacks to the federal government. More potential mandates remain under consideration, the announcement said.

In an interview on May 28, US Energy Secretary Jennifer Granholm said additional mandates are being discussed now within the Biden administration, including the possible need for legislation.

While companies are motivated to prevent cyberattacks for their business model, the cybercriminals are constantly improving, she said, highlighting the need for more oversight and continuous improvement.

"We definitely need better standards on the oil and gas side of things," Granholm said. "The electricity side already has standards they use to make sure there's minimum cyber protections."

The midstream oil and gas industry said it is supportive of reporting requirements, but concerned about requirements potentially being too broad when there are attempted cyberattacks every day.

"Pipeline operators want to avoid a 'ready, fire, aim' approach from the government where we fail to incorporate lessons learned from Colonial or potentially make things worse by regulating the wrong thing or doing it in the wrong way," said Association of Oil Pipelines Vice President John Stoody on May 27.

Apart from the lack of mandatory cybersecurity requirements for the industry, cybersecurity experts also have pointed out that pipelines are additionally vulnerable because they have so many associated field offices in rural areas along the routes that often have outdated technology.